ConfigSync Does not work - solved again
-
Hi
I run two Pf sense instances both as virtual Machine using 2 individual Xenservers inside one Xenserver-Pool (Citrix opensource version)
both are running fine, both have a wan if with an puplic IP and a LAN interface. I setup Carp in the LAN and WAN int, Works.I try to get pfsync working, therefore i have a Third interface Configured. This is running in its own vlan and subnet and can ping across
only the state and config sync does not workCan i provide some Additinal information?
Could somebody maybe sheet a little bit of light to me :)cheers
neuernick -
what log do you get when it fails?
-
Sorry, this is a little bit annoyance for me, i do not see log entries regarding this Topic
i try a lot of config changes, adding rules remove rule (firewall) adding and removing users….
out of System section is get this.
Nov 7 18:27:20 check_reload_status: Syncing firewall
Nov 7 18:27:20 php-fpm[95925]: /system_usermanager.php: The command '/usr/sbin/pw groupadd -g -M 2001,2002,2003 2>&1' returned exit code '65', the output was 'pw: group name required'
Nov 7 18:27:20 php-fpm[95925]: /system_usermanager.php: Tried to remove user but got user pw instead. Bailing.
Nov 7 18:26:27 php-fpm[95925]: /rc.filter_configure_sync: Could not find IPv6 gateway for interface(lan).From the master. nothing on the Slave
Firewall low volume of the usual stuff. nothing on the pfsync interfaceby any chance, do i need to have the System Password the same as the CARP password?
Carp is working, in order to get Carp i configured on both Host manually -
You don't seem to have config sync enabled at all, no logs there attempting anything.
-
hi
i have it enabled
Config snippet from Slave
<hasync><pfsyncpeerip><pfsyncinterface>opt1</pfsyncinterface>
<synchronizetoip><username><password></password>
<pfsyncenabled>on</pfsyncenabled></username></synchronizetoip></pfsyncpeerip></hasync>config snippet master
<hasync><pfsyncpeerip>10.x.x.2</pfsyncpeerip>
<pfsyncinterface>opt1</pfsyncinterface>
<synchronizetoip>10.x.x.2</synchronizetoip>
<username>admin</username>
<password>[prefer to keep it in my place ;)</password>
<synchronizeusers>on</synchronizeusers>
<synchronizerules>on</synchronizerules>
<synchronizecerts>on</synchronizecerts>
<synchronizeschedules>on</synchronizeschedules>
<synchronizealiases>on</synchronizealiases>
<synchronizevirtualip>on</synchronizevirtualip>
<synchronizecaptiveportal>on</synchronizecaptiveportal>
<synchronizednsforwarder>on</synchronizednsforwarder>
<synchronizeauthservers>on</synchronizeauthservers>
<synchronizedhcpd>on</synchronizedhcpd>
<synchronizewol>on</synchronizewol>
<synchronizestaticroutes>on</synchronizestaticroutes>
<synchronizelb>on</synchronizelb>
<synchronizenat>on</synchronizenat>
<synchronizeipsec>on</synchronizeipsec>
<synchronizeopenvpn>on</synchronizeopenvpn>
<pfsyncenabled>on</pfsyncenabled></hasync>
[/tt]just for reference, here is the ps output
[2.2-BETA][root@c3po.wks20.de]/root: ps auxx
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 11 199.0 0.0 0 32 - RL 9:40AM 1705:58.19 [idle]
root 0 0.0 0.0 0 144 - DLs 9:40AM 0:00.15 [kernel]
root 1 0.0 0.1 9472 760 - ILs 9:40AM 0:00.03 /sbin/init –
root 2 0.0 0.0 0 16 - DL 9:40AM 0:00.00 [crypto]
root 3 0.0 0.0 0 16 - DL 9:40AM 0:00.00 [crypto returns]
root 4 0.0 0.0 0 32 - DL 9:40AM 0:00.29 [cam]
root 5 0.0 0.0 0 16 - DL 9:40AM 0:18.22 [pf purge]
root 6 0.0 0.0 0 16 - DL 9:40AM 0:00.00 [balloon]
root 7 0.0 0.0 0 16 - DL 9:40AM 0:00.00 [sctp_iterator]
root 8 0.0 0.0 0 16 - DL 9:40AM 0:00.82 [pagedaemon]
root 9 0.0 0.0 0 16 - DL 9:40AM 0:00.00 [vmdaemon]
root 10 0.0 0.0 0 16 - DL 9:40AM 0:00.00 [audit]
root 12 0.0 0.0 0 352 - WL 9:40AM 2:53.23 [intr]
root 13 0.0 0.0 0 32 - DL 9:40AM 0:00.00 [ng_queue]
root 14 0.0 0.0 0 48 - DL 9:40AM 0:02.20 [geom]
root 15 0.0 0.0 0 16 - DL 9:40AM 0:18.52 [rand_harvestq]
root 16 0.0 0.0 0 64 - DL 9:40AM 0:03.55 [usb]
root 17 0.0 0.0 0 16 - SL 9:40AM 0:03.90 [xenwatch]
root 18 0.0 0.0 0 16 - IL 9:40AM 0:00.08 [xenstore_rcv]
root 19 0.0 0.0 0 16 - DL 9:40AM 0:00.10 [idlepoll]
root 20 0.0 0.0 0 16 - DL 9:40AM 0:00.00 [pagezero]
root 21 0.0 0.0 0 16 - DL 9:40AM 0:00.40 [bufdaemon]
root 22 0.0 0.0 0 16 - DL 9:40AM 0:06.70 [syncer]
root 23 0.0 0.0 0 16 - DL 9:40AM 0:00.41 [vnlru]
root 59 0.0 0.0 0 16 - DL 9:40AM 0:00.85 [md0]
root 248 0.0 2.3 222072 23468 - Ss 9:40AM 0:03.12 php-fpm: master process (/usr/local/lib/php-fpm.conf) (php-fpm)
root 264 0.0 0.3 19024 2560 - INs 9:40AM 0:00.03 /usr/local/sbin/check_reload_status
root 266 0.0 0.2 19024 2408 - IN 9:40AM 0:00.00 check_reload_status: Monitoring daemon of check_reload_status
root 276 0.0 0.4 13164 4424 - Is 9:40AM 0:00.05 /sbin/devd
root 1823 0.0 0.7 46668 6612 - S 5:21PM 0:01.29 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
root 4613 0.0 0.2 14664 2300 - Is 9:40AM 0:00.27 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /var/etc/syslog.conf
root 9280 0.0 0.5 32428 5228 - Is 9:40AM 0:00.00 /usr/sbin/sshd
root 9298 0.0 0.2 14756 2224 - Is 9:40AM 0:00.01 /usr/local/sbin/sshlockout_pf 15
root 13706 0.0 0.2 16812 2340 - Ss 9:40AM 0:01.66 /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
root 14640 0.0 0.2 18788 2348 - Is 9:40AM 0:00.01 /usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf
root 15405 0.0 0.5 21720 5264 - Ss 9:40AM 0:00.48 /usr/local/sbin/openvpn –config /var/etc/openvpn/server1.conf
root 18624 0.0 0.2 12460 2180 - Ss 9:40AM 0:12.62 /usr/local/sbin/apinger -c /var/etc/apinger.conf
root 18650 0.0 0.3 28316 3004 - I 9:40AM 0:00.51 rrdtool -
root 27651 0.0 3.9 222072 39704 - I 11:45PM 0:00.05 php-fpm: pool lighty (php-fpm)
root 47414 0.0 1.8 28168 18052 - Ss 9:42AM 0:04.87 /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid
root 49311 0.0 0.2 8312 1960 - SN 11:58PM 0:00.00 sleep 60
root 49983 0.0 0.6 55632 6124 - Ss 11:00PM 0:00.16 sshd: root@pts/0 (sshd)
root 51653 0.0 0.2 8312 1960 - S 11:58PM 0:00.00 sleep 55
root 55975 0.0 0.2 17144 2488 - S 9:46AM 0:00.74 /bin/sh /usr/local/pkg/sqpmon.sh
root 60436 0.0 0.6 32240 6472 - Is 9:46AM 0:00.00 /usr/local/sbin/squid -D
proxy 60942 0.0 0.9 44528 9464 - S 9:46AM 0:04.90 (squid) -D (squid)
proxy 60997 0.0 0.2 10416 2016 - I 9:46AM 0:00.00 (unlinkd) (unlinkd)
unbound 62716 0.0 1.1 41400 10768 - Is 6:58PM 0:00.40 /usr/sbin/unbound -c /var/unbound/unbound.conf
root 67843 0.0 0.3 17144 2700 - SN 6:58PM 0:02.40 /bin/sh /var/db/rrd/updaterrd.sh
root 24 0.0 0.2 17144 2180 v0 Is+ 9:40AM 0:00.03 sh /etc/rc autoboot
root 269 0.0 4.7 230164 47436 v0 I+ 9:40AM 0:00.56 /usr/local/bin/php -f /etc/rc.bootup
root 28423 0.0 0.2 8312 1960 v0 I+ 11:58PM 0:00.00 sleep 60
root 91693 0.0 0.0 0 0 v0 Z+ 9:40AM 0:00.01 <defunct>root 92287 0.0 0.2 17144 2400 v0 I+ 9:40AM 0:00.17 /bin/sh /usr/local/sbin/xe-daemon -p /var/run/xe-daemon.pid
root 50834 0.0 0.3 17144 2784 0 Is 11:00PM 0:00.01 -sh (sh)
root 51156 0.0 0.3 17144 2672 0 I 11:00PM 0:00.00 /bin/sh /etc/rc.initial
root 52860 0.0 0.2 18816 2384 0 R+ 11:58PM 0:00.00 ps auxx
root 74437 0.0 0.4 17484 3708 0 S 11:00PM 0:00.06 /bin/tcsh
[2.2-BETA][root@c3po.wks20.de]/root:If i read the XML config correctly, the ha sync should be enabled
thanks a million for your help
cheers
volki</defunct> -
yeah that seems fine. How'd you get Xen tools on there? Anything else you've manually installed? Can you ping the secondary's 10.x.x.x IP from the primary?
-
pkg install xe-guest-utilty
ping works fine
telnet 10.10.1.2 80 GET give a valid HTML output
installed anc configured so far is squid and openvpni will reinstall out of the box again, and try to accomplish pfsunc/configsync before i do all the fancy stuff, it might be a sequenze issue
-
Normally you should have some output on the system logs containing sync or XMLRPC on it.
Can you show that?Or even run /etc/rc.filter_synchronize manually and see how it goes.
-
Hi
i run /etc/rc.filter_synchronize manually and it did no change at all
i reinstalled both instances and now the config sync is working fine
i did not reinstall the xe utills
i did not reinstall squid and the openvpnclientpackkeep you postet
-
Hi is reinstaleld, setup the Config/pfsync, and startet with the Config afterwards
this it works… ish
and after playing with squid, i checked the slave , and all of a sudden, it was not syncing any more ..
i used the squid 2 package
-
and it is not working agai :/
i updated via webgui to the latest version, and reinstalled shellcmd + openvpnClientExport package
invoking
/etc/rc.filter_synchronize
does not help -
just a bump. to highlight that i am back in proplem land :)
-
hi
i dump the log files and went over every sungli entry
this one got my attention
php-fpm[70539]: /xmlrpc.php: The command '/usr/sbin/pw groupadd -g -M 2001 2>&1' returned exit code '65', the output was 'pw: group name required'
there is one user without a group, i fixed this and all of a suden the PFsync is working again
-
Thanks, pretty sure Ermal fixed that one earlier today.